- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 03 Feb 2010 22:32:17 +0100
- To: Tyler Close <tyler.close@gmail.com>
- CC: Jonas Sicking <jonas@sicking.cc>, Maciej Stachowiak <mjs@apple.com>, Anne van Kesteren <annevk@opera.com>, WebApps WG <public-webapps@w3.org>
Tyler Close wrote: > On Wed, Feb 3, 2010 at 1:00 AM, Jonas Sicking <jonas@sicking.cc> wrote: >> Another thing that might be worth noting is that if the UA contains a >> HTTP cache (which most popular UAs do), the UA must never use a cached >> response that was the result of a request that was made with >> credentials, when making a request without. The same goes the other >> way around. > > I gather this is because sites do not reliably use the Vary header? "When a shared cache (see Section 13.7) receives a request containing an Authorization field, it MUST NOT return the corresponding response as a reply to any other request, unless one of the following specific exceptions holds:..." <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.8> > ... BR, Julian
Received on Wednesday, 3 February 2010 21:34:33 UTC